Why ALBIRIOX warrants analysis
ALBIRIOX is an Android-focused Remote Access Trojan (RAT) with the potential to impact organisations operating cloud/SaaS environments where employees access corporate resources and files from personal mobile devices.
While ALBIRIOX’s primary function and goal is cryptocurrency theft and other fraud, it has other core capabilities such as real-time screen surveillance, live keylogging, credential phishing HTML overlays, device PIN capture, notification/SMS interception, and full remote device control/filesystem access.
The central risk with this malware is that a singular compromised personal mobile device provides an attacker with persistent access into cloud applications that the employee accesses. The attacker does not need to compromise an organisations infrastructure, they do not need to bypass MFA, SSO, or Zero Trust policies, as the malware operates downstream of all authentications.
This analysis will isolate the specific ALBIRIOX capabilities that may create risk and exposure for cloud/SaaS environments, explaining why each capability is effective in a BYOD threat model. JUMPSEC’s research on BYOD access models and device‑trust erosion provides further context on malware operating downstream of authentication.
Background
ALBIRIOX is sold as a MaaS (Malware-as-a-Service) on underground cybercrime forums. The initial sales threat was posted on the 14th October 2025, and since then the developer has been updating the malware frequently, with the last update on the 20th February 2026.
The developer has posted the new ALBIRIOX domain, boasting several of features analysed below, a video showcase, contact information, and the price of the malware ranging from the full version $1420, and the dropper-less version for $1300.
The Albiriox advertising, sales, prices and payment instruction
Using VirusTotal and looking up the latest ALBIRIOX domain, we can see in the relations that the domain was purchased using the njal.la registrar.
DNS Records for albiriox[.]sc show NJALLA registrar
NJALLA claim to be “the worlds most notorious “Privacy as a Service” provider of domains, VPS’ and VPNs.” And this is true! Many threat actors on this forum have mentioned and recommended NJALLA for their services.
Threat actors share positive opinions on NJALLA’s services
Threat Capability
Real-Time Screen Surveillance (VNC-Like Access)
ALBIRIOX streams the victim’s screen to the attackers C2 in near-real-time at roughly 25 frames per second. It does this by using two different capture methods:
1) Accessibility Tree (Skeleton) Mode: This feature captures the full UI hierarchy of the active window on the device, every text field, button label, list item, and their values. It’s not a screenshot, it’s an 1:1 representation of everything on screen, including content that may be obscured.
In the screenshot below a fake system update being shown on the phone, but the attacker can still control the phone though the UI elements. A “Skeleton” VNC layout – Source: https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets)
2) Screenshot Mode: This feature uses Android’s “AccessibilityService.takeScreenshot()” API to capture screenshots and stream them to the C2
The accessibility “skeleton” VNC mode is especially useful for the attacker because it captures text context that the screenshot mode would miss, such as auto-filled passwords and content behind soft keyboards.
We can see this functionality in the decompiled code:
The “set_vnc_mode” command is used to change between the Accessibility “Skeleton” mode and the Screenshot mode
Live Keylogging Across All Applications
ALBIRIOX can monitor the keyboard on the device via Accessibility permissions, this means that the attacker has a lot more information about the logged keys compared to just a regular log of keys pressed. The information displayed to the attacker includes:
- – Text content being typed
- – Before/after text values (diffing characters)
- – Package name and class name of the current app
- – Whether or not the “password” field is detected
- – Resource ID of the input field
This is not limited to device PINs. Any text that is typed into an application is captured. For a BYOD user accessing an organisation’s SaaS, this means:
- – SSO credentials can be compromised (Okta, Azure AD, Google) – including MFA protected passwords. The attacker gets the password and they can view the MFA approval in real time.
- – Search queries in corporate systems can reveal customer PII, internal project names, etc.
- – Team communications through Slack, Teams, or email is captured before the message is sent.
- – Form submissions in any SaaS tool, CRM data entries, logins, etc can be compromised.
The Resource ID of input fields is especially impactful, as this allows the attacker to programmatically filter for high-value input fields across SaaS applications rather than manually reviewing all captured keystrokes.
After keystrokes have been captures, the malware uses the “sendLiveKeyEvent” function to send off the data to the C2
We can then see the “Live key event sent:” log after this has completed:
Credential Phishing Overlays Against Targeted Apps
Among the keylogger, ALBIRIOX also monitors the foreground application. When a targeted app is detected, it launches a full screen phishing overlay that mimics the applications login page. There are over 200 applications that this feature supports with two specific overlays:
- – PIN Mode: A 6-digit entry screen with numeric keypad and fake biometric prompt.
- – Password Mode: A dark themed AUTHENTICATION password field.
When a password or PIN is inputted into the field, the captured data is then sent to the C2 with the highest priority.
Some of the targeted apps in this list include:
- – Paypal
- – Revolut
- – N26
While this target list leans more towards financial and crypto apps, the phishing overlay is generic and command-driven, the C2 operator can trigger the phishing overlay against any foreground application. A simple server-side configuration update could add Okta, Microsoft Authenticator, Google Workspace, Salesforce, or any other corporate SaaS application to the target list without modifying the APK itself.
Full Remote Device Control
The attacker has the ability to fully control the device as if it were in their own hands, the following table shows the available commands:
| Command | Capability |
| click | Tap any screen coordinate via dispatchGesture() |
| swipe | Swipe gestures with configurable start/end points |
| text | Inject arbitrary text into any focused input field |
| back / home / recent / power | Simulate hardware button presses |
| launch_app | Open any installed application by package name |
| uninstall_app | Trigger uninstall of any app (e.g., security agents) |
| screenshot | Capture on-demand screenshots |
Full remote-control functionality changes the device from a surveillance and data exfiltration device to an active attack tool. This means that an attacker can easily control, act, and do things on behalf of the employee within an organisations network.
The “handleControlMessage” function is what controls the commands here.
Mobile Notifications Interception
Mobile notifications can be intercepted by ALBIRIOX. Captured data includes the notification title, body text, source package, and ticker text. All of this data is also sent to the C2.
Mobile notifications are a rich source of information against an organisation’s environment. This is because things like email previews, Authentication OTPs/SMS 2FA codes, Slack/Teams messages, MFA push notifications, can all be intercepted and used to further compromise the organisation.
| Notification Source | Exposed Information |
| Email previews | Subject lines, sender names, first lines of email body |
| Slack/Teams | Message previews from channels and DMs |
| MFA push notifications | Confirms authentication events, reveals which services are being accessed |
| SMS/Authenticator OTPs | Time-based one-time passwords for MFA (even without SMS permission, the notification preview is captured) |
| Calendar reminders | Meeting titles, participants, times — reveals schedules and projects |
| Cloud storage | File sharing notifications, collaboration invites |
| CI/CD | Build status, deployment notifications |
| Monitoring/alerting | PagerDuty, Datadog, OpsGenie alerts reveal infrastructure events |
Here we can see the “onAccessibilityEvent” function, the “getPackageName” function is being called to get the app name of the notification.
Screen Locking Overlay – Masking Active Theft
ALBIRIOX also has the unique ability to display a full screen overlay that locks the user out of their device while attacker operations continue in the background. There are two modes for this functionality:
- – Fake System Update: A convincing Android OS update screen with offical branding and logos, an animated progress bar which lasts 5 minutes, and rotating status messages for added legitimacy. All audio streams are muted while this occurs.
- – Black Screen: Simple pure black screen with no UI elements.
While the user sees “Installing system update…”, and waits, the attacker is in the background working uninterrupted. The screen overlay blocks the user from seeing what is happening, but the accessibility service permissions allow the remote-control functionality to remain fully operational. Risks here include:
- – Extended data exfiltration: If the attacker wants to exfiltrate larger files undetected, this is the perfect method, as it allows the attacker 5 minutes of free reign.
- – Account manipulation: The attacker can modify account permissions, generate API keys, change passwords, etc, all while remaining invisible to the user.
- – Evidence destruction: Clearing log files, search history, sent messages.
- – Dropping more malware: The attacker can easily manually install and setup a different malware on the device if they so please while the fake update is occurring.
Persistence Mechanisms
ALBIRIOX has a total of 6 independent persistence mechanisms that make removal of the malware extremely difficult without a full factory reset.
| Mechanism | Restart Interval | Survives |
| Foreground service (START_STICKY) | Immediate | App kill, task clear |
| Boot receiver (priority 999, directBootAware) | On boot | Device restart, direct boot |
| AlarmManager (setExactAndAllowWhileIdle) | Every 2 minutes | Doze mode, app standby |
| WorkManager (periodic) | Every 15 minutes | App force stop, Doze |
| Triple WakeLock | Continuous | CPU sleep, Wi-Fi sleep |
| Doze-resistant alarm | Every 9 minutes | Deep Doze |
There is also an “AntiRemove” function, which actively prevents uninstallation by monitoring the phone for Settings activity related to the app.
For example, if the user opens settings, and scrolls down to the malicious app, the “AntiRemove” function will scan the UI for the malicious apps name using its Accessibility permissions. If it is found, the device is forced to the home screen. This monitoring happens every 50ms and recognises “uninstall/remove” keywords across 82 different languages and 34 device-specific settings packages.
Indicators of Compromise (IOCs):
| Type | Value |
| C2 | 194.32.79.94:5555 |
| Package name | com.nmz.nmz |
| SHA256 | a0c9d6eb1932c96a11301c00cf96ce9767fb11401e090f215f972df06b09a878 |
| Cert SHA256 | 0cb1fcf7563d2fd97d682b06d9e2c5cacb4b8286ce0d2f1db0d781715913c86c |
| Accessibility Service | com.nmz.nmz/.AccessService |
| Technique | ALBIRIOX Implementation | BYOD/Cloud Impact |
| T1417.001 Input Capture: Keylogging | Live accessibility event keylogging | Captures SSO passwords, SaaS credentials, MFA codes, message content |
| T1417.002 Input Capture: GUI Input Capture | Accessibility tree capture at 25 FPS | Reads all on-screen content from every SaaS app |
| T1513 Screen Capture | Dual-mode screenshot + accessibility tree streaming | Real-time surveillance of corporate SaaS sessions |
| T1411 Input Prompt | Phishing overlays against 200+ apps | Credential theft for targeted applications |
| T1625.001 Hijack Execution Flow | Accessibility Service as full device control | Enables remote interaction with all device functions |
| T1418 Software Discovery | App enumeration with icons | Maps corporate SaaS footprint and security tools |
| T1629.001 Impair Defenses: Prevent Application Removal | 50ms anti-removal monitor, 82-language detection | Ensures prolonged undetected access to corporate sessions |
| T1541 Foreground Persistence | 5+ restart mechanisms | Survives all non-destructive remediation attempts |
| T1437.001 Application Layer Protocol | Raw TCP to 194.32.79.94:5555 | Exfiltration channel for stolen corporate data |
Final Take
As detailed, the target list leans more towards financial and crypto apps, the phishing overlay is generic and command-driven, and the C2 operator can trigger the phishing overlay against any foreground application. A simple server-side configuration update could add Okta, Microsoft Authenticator, Google Workspace, Salesforce, or any other corporate SaaS application to the target list without modifying the APK itself.
ALBIRIOX is a malware that often operates as a financial theft trojan designed to steal cryptocurrency wallet information and banking authentication data through its overlay attacks and accessibility permissions abuse. The malware is not specifically designed to target an organisations infrastructure, but its presence on a personal device that is used in a BYOD policy environment introduces an additional risk vector.
If the compromised device is used to access the organisations services, such as cloud dashboards, email, or SSO portables, the malware will steal those session tokens or credentials, and this can facilitate unauthorised access to the organisation’s network.
Jack Lewis
Jack is a security researcher with a strong focus on malware analysis, tracking new threat actors and campaigns, reverse engineering, patch diffing, and proactive threat hunting.